https://issues.apache.org/bugzilla/show_bug.cgi?id=53952
--- Comment #20 from Christopher Schultz <ch...@christopherschultz.net> ---
Given the comment in OpenSSL that SSL_OP_PKCS1_CHECK_{1,2} were never used, I
think it's reasonable to use the new symbolic names and remove the old ones.
Note that it will also require a patch to Tomcat trunk as well.
Interestingly, there is this comment in o.a.t.jni.SSL:
/* The next flag deliberately changes the ciphertest, this is a check
* for the PKCS#1 attack */
public static final int SSL_OP_PKCS1_CHECK_1 =
0x08000000;
public static final int SSL_OP_PKCS1_CHECK_2 =
0x10000000;
Neither of these constants are used anywhere in Tomcat trunk, so I'm not sure
a) what that comment means and b) whether there is anything to be concerned
about.
That comment is attributed to mturk, but so is nearly the entire file, so I
suspect that his commit r423920 just ended up touching every line in the file
or something.
tcnative's code has the same comment in the same place (SSL.java) attributed to
mturk in r300716, where it seems those constants were actually added. That was
way back in 2005. I wonder if Mladen remembers whether that comment is relevant
anymore.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
